Rezzy Last updated: 13 June 2026

Privacy Policy

Your privacy matters. This policy explains how we collect, use, and protect your data in compliance with UK GDPR and the Data Protection Act 2018.

UK GDPR Compliant

This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Contents

1. Who We Are 2. Information We Collect 3. How We Use Your Information 4. Legal Basis for Processing 5. Cookies & Tracking 6. Data Sharing & Third Parties 7. International Transfers 8. Data Retention 9. Your Rights Under UK GDPR 10. Children's Privacy 11. Business Owners & Their Customers 12. Security 13. Marketing Communications 14. Changes to This Policy 15. Contact & Complaints

1. Who We Are

Rezzy Ltd ("Rezzy", "we", "us", "our") is the data controller responsible for your personal data when you use the Rezzy platform at rezzy.co.uk.

Data Controller: Rezzy Ltd

Website: rezzy.co.uk

Contact: privacy@rezzy.co.uk

Where a Business Owner uses Rezzy to manage their customer bookings, the Business Owner is the Data Controller for their customers' data, and Rezzy acts as the Data Processor.

2. Information We Collect

2.1 Information you provide directly:

  • Account information: name, email address, phone number, password
  • Business information: business name, address, logo, services, staff details
  • Booking information: appointment details, service preferences, notes
  • Payment information: billing address, payment method (card details processed by Stripe — we do not store card numbers)
  • Stripe Connect information: connected Stripe account ID, payment status, transaction IDs, transfer details, fee records, and related metadata where online payments are enabled
  • Communications: messages you send us via email or support channels

2.2 Information collected automatically:

  • Usage data: pages visited, features used, time spent, clicks
  • Device information: IP address, browser type, operating system, device identifiers
  • Log data: server logs, error reports, access timestamps
  • Cookies: session cookies, preference cookies (see Section 5)

2.3 Information from third parties:

  • Payment processors: Stripe may share transaction status and billing details
  • Connected payment accounts: Stripe may share account capability, onboarding, payout, fee, refund, and dispute information needed to operate online payments
  • Calendar providers: Google Calendar event metadata if you connect your calendar

3. How We Use Your Information

We use your personal data for the following purposes:

Purpose Details
Providing the Service Creating and managing your account, processing bookings, managing staff and customer records
Billing & Payments Processing subscription payments, customer booking payments, Stripe Connect payouts, platform fees, invoices, receipts, refunds, disputes, and payment reconciliation
Communications Sending booking confirmations, reminders, notifications, and support responses
Platform Improvement Analysing usage to improve features, fix bugs, and develop new functionality
Security Detecting and preventing fraud, abuse, and unauthorised access
Legal Compliance Complying with our legal obligations including tax, accounting, and regulatory requirements
Marketing Sending promotional emails where you have given consent (you can opt out at any time)

5. Cookies & Tracking

We use cookies and similar technologies in accordance with the Privacy and Electronic Communications Regulations (PECR).

Cookie Type Purpose Consent Required
Strictly Necessary Session management, authentication, security (CSRF tokens) No
Functional Remembering your preferences and settings Optional
Analytics Understanding how users interact with the platform Yes

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning properly.

6. Data Sharing & Third Parties

We do not sell your personal data. We may share your data with trusted third parties only as necessary to provide the Service:

Stripe

Payment processing, Stripe Connect onboarding, payouts, fees, refunds, disputes, and payment fraud checks. PCI-DSS Level 1 certified.

stripe.com/gb/privacy

Twilio

SMS and WhatsApp notifications (if enabled).

twilio.com/legal/privacy

Google

Google Calendar integration and Google Cloud Storage (if enabled).

policies.google.com/privacy

OpenAI

AI-powered features (if enabled by the Business Owner).

openai.com/privacy

Amazon Web Services

Cloud hosting and file storage infrastructure.

aws.amazon.com/privacy

We may also disclose data to law enforcement or regulatory bodies if required by law, or to protect the rights, property, or safety of Rezzy, our users, or others.

7. International Transfers

Some of our third-party service providers operate outside the UK and European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • UK adequacy regulations for countries deemed to have equivalent protection
  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
  • Binding Corporate Rules or other approved transfer mechanisms

8. Data Retention

We retain your personal data for as long as necessary to provide the Service and comply with our legal obligations:

Data Type Retention Period
Account data Duration of account + 30 days after deletion request
Booking records 6 years (UK tax and legal compliance)
Payment records 7 years (HMRC requirements)
Support communications 3 years from last interaction
Marketing preferences Until consent is withdrawn
Server logs 90 days
Cookies (session) Deleted when browser is closed

9. Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

Right to Access

Request a copy of the personal data we hold about you (Subject Access Request).

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your data ("right to be forgotten") where there is no lawful reason to retain it.

Right to Restriction

Request that we restrict processing of your data in certain circumstances.

Right to Portability

Receive your data in a structured, machine-readable format and transfer it to another provider.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Automated Decisions

Not be subject to solely automated decisions that significantly affect you.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent.

How to exercise your rights

Email us at privacy@rezzy.co.uk with your request. We will respond within 30 days. We may need to verify your identity before processing your request. There is no charge for most requests.

10. Children's Privacy

The Rezzy platform is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data without parental consent, we will delete it.

Business Owners who offer services to children are responsible for obtaining appropriate parental consent under applicable law.

11. Business Owners & Their Customers

When you use Rezzy to manage your business, your customers' personal data is processed by Rezzy on your behalf. In this context:

  • You are the Data Controller — you decide what data to collect and why
  • Rezzy is the Data Processor — we process data only on your documented instructions
  • You must have your own privacy policy visible to your customers
  • You must have a lawful basis to collect and process your customers' data
  • You are responsible for handling your customers' data subject requests

Our Data Processing Agreement (DPA) — which forms part of our Terms of Service — sets out our respective obligations under UK GDPR Article 28.

12. Security

We implement appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised access, including:

  • HTTPS encryption for all data in transit
  • Bcrypt password hashing
  • CSRF token protection on all forms
  • SQL injection prevention via parameterised queries
  • Role-based access controls
  • Regular security reviews

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.

13. Marketing Communications

We will only send you marketing emails if you have explicitly opted in. You can unsubscribe at any time by:

  • Clicking the "Unsubscribe" link in any marketing email
  • Updating your notification preferences in your account settings
  • Emailing us at privacy@rezzy.co.uk

Transactional emails (such as booking confirmations, payment receipts, and account notices) are not marketing emails and will continue to be sent as part of the Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the platform. The "Last updated" date at the top of this page will always reflect the most recent version.

We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

15. Contact & Complaints

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Rezzy Ltd — Data Privacy

privacy@rezzy.co.uk

rezzy.co.uk

Right to complain to the ICO

If you believe we have not handled your personal data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ico.org.uk

0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first.

© 2026 Rezzy Ltd. All rights reserved.

Terms of Service Back to Home